Most small firms don't have a formal way to assess whether their IT is in good shape. They have a general sense — things mostly work, issues get resolved, there haven't been any major disasters — but that's a low bar. "Nothing catastrophic has happened" is not the same as "our systems are well-managed."
Here are the questions that actually tell you where you stand.
Can you recover from a ransomware attack?
This is the most important question in small business IT right now, and most firms can't answer it with confidence. Knowing requires knowing two things: what your backup coverage actually includes (email? SharePoint? local servers? workstations?), and when backups were last tested by actually restoring from them.
A backup that's never been tested is a backup of unknown reliability. Most IT providers will tell you they have backups running. Fewer will tell you the last time a restore was verified.
How long would it take to get a new employee fully set up?
Onboarding a new employee quickly is a meaningful operational test. If getting someone a laptop, an email account, the right software, and access to the right files takes more than a day, there's probably a documentation and process gap worth addressing.
Slow onboarding usually reflects the same underlying problem as slow recovery from failures: the environment isn't well-documented.
Do you know what devices are on your network?
An accurate, current asset inventory — what machines exist, what software they're running, when they were last patched — is the foundation of a managed IT environment. If your IT provider can't produce this on request, the environment isn't being managed proactively; it's being reacted to.
When did you last have a security conversation that wasn't prompted by an incident?
A proactive IT partner surfaces security concerns before they become incidents — aging hardware, misconfigured policies, accounts that should have been deprovisioned. If the only time security comes up is after something goes wrong, that's a signal about how the relationship is structured.
Is your Microsoft 365 configuration intentional?
The default settings in Microsoft 365 are not optimal security settings. Conditional Access policies, external sharing controls, guest access permissions, and retention policies all require deliberate configuration. Most small organizations have these in whatever state the initial setup left them, which is often not where they should be.
A periodic review of your Microsoft 365 security settings — even a brief one — tends to surface things worth addressing.
What to do with the answers
If you worked through these questions and felt confident about most of them, your environment is probably in reasonably good shape. If several of them exposed gaps you hadn't thought about, that's useful information — not cause for alarm, but worth addressing deliberately rather than waiting for an incident to force it.